24.10 Release notes

Table of Contents

Instabase 24.10 is a major release that introduces new features, enhancements, and bug fixes.

Subsequent patch releases typically contain bug fixes along with testing, optimizations, security fixes, and other internal changes.

24.10.24

April 16, 2025

This release contained no user-facing changes.

24.10.23

April 9, 2025

Security updates

Upgraded keras to version 3.8.0 to address vulnerability CVE-2024-55459.
Upgraded Gunicorn to version 23.0.0 to fix vulnerability CVE-2024-6827.
Updated module github.com/golang-jwt/jwt/v5 to v5.2.2 to address vulnerability CVE-2025-30204.
Removed wget from Dockerfile to fix vulnerability CVE-2021-31879.

24.10.22

April 5, 2025

No changes included with this release.

24.10.21

April 2, 2025

Bug fixes

You couldn’t access resumed jobs if they were more than 24 hours old in the job service.
PDFs were corrupted when processed under certain circumstances.
Job log processing experienced bottlenecks due to queue limitations.

Security updates

Resolved CVE-2024-45338 | Updated golang.org/x/net to v0.33.0 in weaviate.
Converted es-exporter to the Wolfi-based image.
Resolved CVE-2024-45338 | Updated golang.org/x/net to v0.33.0.

Release 24.10.20

April 2, 2025

This release contained no changes.

24.10.19

March 28, 2025

Enhancements

Improved security and stability in VictoriaMetrics by building binary from scratch and pinning Go version.

Bug fixes

Job logs could grow without limits because the maximum queue length configuration was not supported.

Release 24.10.18

March 28, 2025

This release contained no changes.

Release 24.10.17

March 19, 2025

Security updates

Updated jaeger with stdlib to version 1.19.6 or 1.20.1. CVE-2022-41724
Updated setuptools in jaeger to version 70.0.0. CVE-2024-6345

Release 24.10.16

March 12, 2025

Security updates

Updated pygments to version 2.15.1 to address a ReDoS vulnerability. CVE-2022-40896
Updated postgresql JDBC driver to address SQL injection vulnerabilities. CVE-2022-31197, CVE-2024-1597
Removed ray JAR files containing vulnerable dependencies. CVE-2018-8088

Release 24.10.15

March 12, 2025

Bug fixes

Deleted .keys call in post flow task to reduce Redis CPU usage.

Release 24.10.14

March 6, 2025

Fixed missing ibuser attribute in MODEL_SERVICE_OPERATION audit logs.
Updated netty-handler in table-tservice to 4.1.118.Final. CVE-2025-24970
Updated jackson-databind to 2.9.8. CVE-2018-19360

Release 24.10.13

February 27, 2025

Updated protobuf-java to 3.21.7. CVE-2022-3171, CVE-2022-3509, CVE-2022-3510
Updated protobuf-java to 4.28.2. CVE-2024-7254
Updated golang.org/x/net in weaviate. CVE-2023-45288

Release 24.10.12

February 19, 2025

Resolved [CVE-2021-26291] | Updated maven-core package to version 3.8.1.
Resolved [CVE-2017-1000487] | Updated plexus-utils package to version 3.0.16.

Release 24.10.11

February 12, 2025

Some account operation audit logs were empty.
The audit log for account creation logged the requestor username only if the account was created by an admin, but not if the account was created by the user.
The audit log for service account creation did not log the username of the user who initiated the request.
Resolved [CVE-2024-45341] Updated go to 1.22.11.
Resolved [CVE-2024-47874] | Updated starlette package to version 0.40.0.

Release 24.10.10

February 7, 2025

If the model service operation audit log doesn’t save the user’s username or email, it now returns UNKNOWN in the email field instead of causing an error.
Resolved [CVE-2024-47535] | Upgraded the netty-common package to version 4.1.115.
Resolved CVE-2024-56201 | Upgraded jinja2 to version 3.1.5.

Release 24.10.9

January 30, 2025

Human review did not correctly give some needed warnings.
Errors with Azure Blob store storage systems were not translated into their corresponding HTTP error codes, but were logged as INTERNAL errors.
Resolved [CVE-2024-32002] | Removed git from the ray-head Docker image.
Resolved [CVE-2018-1000021]
Resolved [CVE-2024-47554] | Updated the commons-io:commons-io package to version 2.14.0.
Resolved [CVE-2024-8096] | Updated jaeger-agent to 1.62.0.
Resolved [CVE-2024-8309] | Updated the langchain package to version 0.2.5.

Release 24.10.8

January 23, 2025

Resolved [CVE-2024-38820], [CVE-2024-38827] | Updated the springframework#spring-context library to version 6.1.14.
Resolved [CVE-2024-45337] | Updated the jaeger package to version 1.65.0.

Release 24.10.7

January 16, 2025

The OCR service crashed if it encountered many concurrent requests.
You can run accuracy reports on ground truth sets with class names greater than 31 characters.
Resolved [CVE-2024-45337] | Updated the crypto package to version 0.31.0.
Resolved [CVE-2023-28858], [CVE-2023-28859] | Updated redis package to version 4.5.3
Resolved [CVE-2024-24786] | Update the protobuf to version 1.33.0.
Resolved [CVE-2024-56326] | Update jinja package to version 3.1.5.
Resolved [CVE-2024-52804] | Updated the Python tornado package to version 6.4.2.

Release 24.10.6

January 7, 2025

Version 24.10.6 was not released.

Release 24.10.5

January 1, 2025

This release contained no changes.

Release 24.10.4

December 24, 2024

This release contained no changes.

Release 24.10.3

December 18, 2024

Searching by job ID didn’t work reliably for certain formats.
Resolved [CVE-2023-29401] | Updated the gin package to version 1.9.1.
Resolved [CVE-2024-47554] | Updated the ray package to version 2.39.0.
Resolved [CVE-2024-3095] | Updated the langchain package to version 0.2.10.
Resolved [CVE-2024-49767] | Updated werkzeug package to version 3.0.6.
Resolved [CVE-2023-28858] | Updated the redis package to version 4.5.3.

Release 24.10.2

Version 24.10.2 was not released.

Release 24.10.1

December 4, 2024

Resolved [GHSA-h4gh-qq45-vh27] | Updated cryptography package to version 43.0.1.
Resolved [CVE-2024-49767] | Updated werkzeug package to version 3.0.6.
Resolved [CVE-2024-5187] | Updated onnx package to version 1.17.0.

Release 24.10.0

Generally available: December 3, 2024

New features

Marketplace Admin

You can update your previously trained and published models to use the latest version of .ibformers, providing improved inference and security. Upgrades are available in Marketplace Admin for models that use .ibformers 2.0 or later and were trained in and published from ML Studio.

Enhancements

Improved maintenance cron job efficiency and performance by optimizing query parameters, reducing unnecessary deletions, and limiting cleanup to one week before the retention period.
You can now use uppercase letters in your username, service account names, and space names.
Model download performance has been improved.

Platform infrastructure

For especially high volume, you can cap the maximum number of jobs logs buffered in RabbitMQ, to prevent RabbitMQ from running out of memory. To limit the queue length, set the desired value in the environment variable RABBIT_MQ_JOB_LOGS_MAX_QUEUE_LENGTH.

Bug fixes

You can no longer upload files with names longer than 210 characters into ML Studio or Solution Builder, as it breaks model training.
Tasks could be marked as failed when api-server pods were temporarily overloaded. If this occurs now, the task is retried.
Changing the classification of a document in a V2 flow caused human review to crash.
Job count, which was previously removed from the Flow Review due to performance issues, has been reinstated, but you must enable it in Admin > Configuration.
Custom job ID strings that were not in UUID format would break human review.
The redactor step in a flow failed if you tried to redact text using the text_replace property.
If a username was in all uppercase letters, searching for the username did not return the user.
Batch requests to the model service experienced transient errors.
Rarely, reading a 0-length file with the Text Editor failed.

Security fixes

Resolved [CVE-2024-37891] | Updated the urllib3 package to version 1.26.20.
Resolved [CVE-2024-41131] | Updated the form-recognizer package to 2022-08-31.20241107.1-14d4cf9e.
Resolved [CVE-2024-52304] | Updated aiohttp package to version 3.10.11.
Resolved [[CVE-2024-49768]] (https://nvd.nist.gov/vuln/detail/CVE-2024-49768) | Updated the waitress package to version 3.0.1.
Resolved [CVE-2024-7254] | Updated opensearch version to 2.18. <!–VTEST–47373–>
Resolved [CVE-2021-41495] | Updating package numpy to version 1.22.2.
Resolved [CVE-2024-7254], [CVE-2024-47554] | Fixed vulnerability issues for protoc and commons.io in the conversion service.
Resolved [CVE-2024-38808] | Update spring-expression to 5.3.39.
Resolved [CVE-2024-5452] | Upgraded pytorch-lightning package to version 2.4.
Resolved [CVE-2024-28122] | Upgraded package jwx to version 1.2.29.
Resolved [CVE-2024-35255] | Upgraded azidentity package to version 1.6.0.
Resolved [CVE-2016-2510] | Removed libbsh-java and dependent libreoffice helper packages.
Resolved [CVE-2024-7254]
Resolved [CVE-2022-1996] | Upgrade package go-restful to version 2.16.
Resolved [CVE-2024-6345] | Upgraded package setuptools to version 70.0.
Resolved [CVE-2020-26892] | Upgraded package github.com/nats-io/jwt to version 1.1.0 and package github.com/nats-io/nats-server/v2 to version 2.1.9.
Resolved [CVE-2023-39631] | Updated the numexpr package to 2.8.5.
Resolved [CVE-2019-25211] | Updated the cors package to v1.6.0.
Resolved [CVE-2023-5752] | Updated the pip package to 24.3.1.
Resolved [CVE-2024-6345] | Updated pip setuptools.
Resolved [CVE-2024-8986] | Updated Grafana to version 11.3.0.
Resolved [[CVE-2024-7965]](https://nvd.nist.gov/vuln/detail/CVE-2024-7965| Updated the google-chrome-stable package to 129.0.6668.58-1.
Resolved [CVE-2024-7965] | Upgraded playwright to 1.47.0 and validated the correct version of Chromium is installed.
Resolved [CVE-2024-41110] | Upgraded package github.com/docker/docker to version 23.0.15,25.0.6,26.1.5,27.1.1 or later.
Resolved [CVE-2023-7104] | The github.com/mattn/go-sqlite3 package has been updated to version 1.14.18.
Security | Upgraded prometheus to v2.55.0.
Security | Upgraded /nats-server/v2 package to version 1.17.11.